What does Ferretly do?

Ferretly is an AI-powered social media background screening platform that analyzes publicly available online content to surface behavioral risk signals for hiring, compliance, and brand protection.

Is Ferretly compliant with FCRA and other regulations?

Ferretly is designed with regulatory compliance at its core. Its workflows support Fair Credit Reporting Act requirements and align with EEOC and GDPR guidance when used for employment-related social media screening.

Ferretly is used by employers, staffing and background screening providers, government agencies, financial services organizations, healthcare providers and brands that want deeper insight into digital behavior than traditional background checks provide.

What data sources does Ferretly analyze?

Ferretly analyzes public content across major social media platforms and can incorporate web, news and media sources to build a clearer picture of digital behavior over time.

How long of a history can Ferretly review?

Depending on the plan and use case, Ferretly can review up to approximately ten years of publicly available social media content, with options for continuous monitoring going forward.

The FinCEN IA AML Rule, Explained: What the 2028 Delay Means for RIAs

FinCEN IA AML Rule for RIAs: 2028 Delay & Compliance Guide Meta description: FinCEN delayed the Investment Adviser AML Rule to January 1, 2028. Here's what compliance leaders at RIAs and ERAs need to understand about the rule, the delay, and what to build during the runway.

June 4, 2026

The Rule, the Delay, and What ComesNext

On December 31,2025, the Financial Crimes Enforcement Network issued a final rule postponingthe effective date of the Investment Adviser Anti-Money Laundering Rule fromJanuary 1, 2026 to January 1, 2028. The rule itself—finalized in fall 2024under the prior administration—remains intact in substance. Only the effectivedate moved. FinCEN simultaneously signaled its intent to revisit andpotentially tailor the rule's scope during the two-year window, in coordinationwith the SEC's still-pending Customer Identification Program rulemaking.

For roughly 14,000SEC-registered investment advisers and 6,000 exempt reporting advisers—collectively managing approximately $119 trillion in client assets—the delay creates a strategic decision point. Some firms are reading it as a reason to slow down. Others are reading it as runway to build the program correctly.

This guide is for the compliance leaders making that decision. It covers what the FinCEN IA AMLRule actually requires, why it was delayed, what's likely to change before2028, and what mature firms are building during the interim.

What Is the FinCEN IA AML Rule?

The FinCEN IA AMLRule, formally adopted in 2024 and codified at 31 CFR 1032, designates certain investment advisers as "financial institutions" under the BankSecrecy Act. The designation triggers a defined set of anti-money laundering and counter-financing of terrorism (AML/CFT) obligations that previously applied only to banks, broker-dealers, money services businesses, and a handful of other regulated entities.

The rule's foundational requirements track the BSA's longstanding framework for financial institutions: a written AML/CFT program approved by senior management, a designated compliance officer, employee training, independent testing, customer due diligence, suspicious activity reporting, and record keeping. What the IAAML Rule did was extend that framework into a sector—investment advisory—that had operated outside formal BSA coverage for the previous two decades.

The policy rationale, articulated by Treasury and reinforced by Treasury's 2024 risk assessment, is straightforward. The investment advisory sector represents a material gap in U.S. AML/CFT coverage. Foreign adversaries, sanctioned actors, corrupt officials, and organized crime networks have used private fund structures, complex advisory arrangements, and the relative opacity of the sector to move illicit funds into the U.S. financial system. Closing that gap—bringing investment advisers under the same regulatory umbrella as the rest of the financial sector—is the rule's central objective.

Why the Rule Got Delayed to 2028

In July 2025,Treasury announced its intention to postpone the rule's effective date by two years. FinCEN issued a proposed rule formalizing the delay in September 2025, opened a comment period, and adopted the final delay rule on December 31, 2025.

The rationale, as stated by FinCEN and Treasury, has several components. First, the rule asoriginally drafted imposed substantial implementation costs across a sectorwith significant diversity in business models, client bases, and risk profiles.Solo RIAs managing $200 million in family-office assets would have facedessentially the same program requirements as multi-billion-dollar institutionaladvisers—a structure several commenters argued was poorly calibrated.

Second, the IA AMLRule was meant to operate in coordination with a parallel CustomerIdentification Program rule, jointly proposed by FinCEN and the SEC, which would establish identity verification obligations for advisory client on boarding. The CIP rule remains pending. Implementing the IA AML Rule onJanuary 1, 2026 without the CIP rule in place would have created a sequencing problem: firms would have built CDD programs without the CIP architecture intended to anchor them.

Third, FinCEN signaled an intent to substantively review the rule—not just delay it. The two-year window is positioned as time for FinCEN to reassess the rule's scope, tailor its requirements to sector diversity, and coordinate sequencing with theCIP rule making. The substance of what advisers will need to build by January 1,2028 may not match the substance of what they would have needed to build byJanuary 1, 2026.

It's worth noting that the delay drew opposition. Several commenters—including transparency organizations and former Treasury officials—argued that the existing gap inU.S. AML coverage creates active exploitation risk, and that a two-year extension prolongs the vulnerability. FinCEN acknowledged the concern in the final rule but proceeded with the delay regardless.

Who Is Covered Under the Rule (And WhoIs Exempt)

The rule, as currently drafted, applies to two categories of investment advisers:

SEC-registered investment advisers (RIAs). Firms registered with the SEC under the Investment Advisers Act of 1940, generally those managing $100 million or more in regulatory assets under management or otherwise meeting registration thresholds.

Exempt reporting advisers (ERAs). Firms that file reports with the SEC but are exempt from full registration—primarily private fund advisers (Section 203(m)exemption) and venture capital fund advisers (Section 203(l) exemption).

State-registered investment advisers, mid-sized advisers below the SEC registration threshold, and family offices that meet the family office exemption under Rule202(a)(11)(G)-1 are outside the rule's scope. Foreign private advisers as defined under the Advisers Act are also excluded.

Sub-advisers presenting an interesting edge case. The rule, as drafted, applies the obligation to the SEC-registered or exempt reporting adviser regardless of whether that adviser delegates investment management to a sub-adviser. A firm using sub-advisers cannot delegate the AML program obligation, though it may delegate execution of specific program functions under appropriate oversight.

The expected scope tailoring during the 2026–2028 window may modify these definitions. Several industry commenters have pushed for narrower coverage—excluding ERAs entirely, raising the AUM threshold, or carving out specific business models. WhetherFinCEN accepts those arguments will materially affect which firms need to build a full program by 2028.

What the Rule Requires: The CoreAML/CFT Program

Under the IA AMLRule as currently structured, covered advisers must establish and maintain a written AML/CFT program containing the following elements:

1. Policies, procedures, and internal controls reasonably designed to prevent the firm from being used to facilitate money laundering or terrorist financing, and to ensure compliance with applicable BSA provisions.

2. A designated AML/CFT compliance officer with sufficient authority, independence, and resources to oversee the program.

3. Ongoing employee training appropriate to the firm's size, risk profile, and the roles of trained personnel.

4. Independent testing of the program's adequacy, conducted by qualified personnel (internal or external) who do not have AML/CFT program responsibilities.

5. Risk-based customer due diligence procedures, including ongoing monitoring sufficient to detect and report suspicious activity.

Each element is shaped by the size and risk profile of the firm. A small ERA advising a single venture fund of institutional limited partners will operate a materially different program than a large RIA managing retail client accounts across multiple geographies. The rule does not prescribe uniform program design; it requires that program design reasonably address the firm's specific risk exposure.

Suspicious Activity Reporting and OFACObligations

The IA AML Rule, when effective, will require covered advisers to file Suspicious ActivityReports (SARs) on transactions involving $5,000 or more that the adviser knows, suspects, or has reason to suspect involve funds derived from illegal activity, are designed to evade BSA reporting requirements, have no apparent lawful purpose, or involve the use of the adviser to facilitate criminal activity.

SAR filing carries strict confidentiality rules under 31 U.S.C. § 5318(g). Advisers cannot disclose to the subject—or to anyone outside the firm and certain authorized recipients—that a SAR has been filed or considered. Violations of the "no tipping off" rule carry their own civil and criminal penalties.

OFAC sanctions screening sits adjacent to the IA AML Rule but is structurally independent.Office of Foreign Assets Control jurisdiction extends to all U.S. persons, including RIAs and ERAs, and applies today—not in 2028. The IA AML Rule, when effective, will formalize expectations around how sanctions screening integrates with the broader compliance program. But the underlying OFAC obligation—including the requirement to screen against the SDN List, sectoral sanctions, and the OFAC 50% Rule—is already in force and remains so regardless of the IA AML Rule delay.

For a deeper read on how RIAs should operationalize OFAC sanctions screening specifically—and why the FinCEN delay doesn't change those obligations—see our OFAC sanctions screening guide for RIAs.

Recordkeeping and Information Sharing

Covered advisers will need to maintain BSA-required records for five years, including SAR documentation, CDD records, and supporting documentation for program decisions.The five-year retention period runs from the date of the relevant transaction or, in the case of CDD records, from the closure of the client relationship.

The rule also brings advisers within scope of two BSA information-sharing provisions:

Section 314(a) allows law enforcement to query financial institutions for records on individuals or entities of interest to ongoing investigations. Covered advisers will be required to search their records and respond to these queries withinfixed timeframes.

Section 314(b) allows financial institutions to share information with each other—voluntarily, under a safe harbor—about suspected money laundering or terrorist financing activity. Participation is optional but commonly used by larger institutions for collaborative investigation of cross-firm patterns.

Several commenters during the delay rule making asked FinCEN to issue further guidance on how314(a) and 314(b) will operate for the advisory sector—specifically around sub-adviser arrangements and information sharing among affiliates. FinCEN noted the requests but did not address them in the delay rule. Guidance is expected during the 2026–2028 window.

Common Implementation Gaps RIAs AreStill Working Through

For firms that began building toward the original January 1, 2026 deadline before the delay was announced, several implementation challenges have surfaced repeatedly. The two-year extension provides time to close these gaps—but only if firms continue building.

Vendor due diligence and third-party data integrity. AML/CFT programs depend on third-party data sources for sanctions lists, PEP data, adverse media, and identity verification. Firms have struggled to assess vendor source coverage, update frequency, and audit-trail defensibility—particularly when vendors aggregate data without disclosing primary source provenance.

Sub-account and beneficial ownership resolution. RIAs managing pooled vehicles, family offices, and complex fund structures face a real operational challenge resolving beneficial ownership down to the individual level required for CDD and OFAC 50% Rule compliance. The CIP rule making, when finalized, is expected to clarify these expectations—but firms cannot wait until 2028 to start building the data architecture.

Ongoing monitoring infrastructure. Many firms have CDD procedures for client onboarding but lack the systematic ongoing monitoring expected under the rule. Building continuous monitoring—for both sanctions and behavioral risk—requires either internal infrastructure or vendor partnership. The technology decisions made now will shape the 2028 program.

Independent testing readiness. The rule requires independent testing of program adequacy. Firms that have not previously commissioned AML audits often underestimate the lead time required to identify qualified testers, scope the engagement, and complete a defensible review. Building testing into the 2026–2027 cycle creates an audit trail that demonstrates good-faith implementation.

What "Good" Looks Like: A Compliance Architecture That Holds Up

Mature programs share a few structural characteristics. Whether a firm is starting from scratch or strengthening an existing function, the architecture that survives examination tends to include:

Documented risk assessment. A written, firm-specific assessment of money laundering and terrorist financing risk, refreshed at defined intervals (typically annually) and tied directly to program design. Examiners look for evidence that the program's specifics—screening thresholds, monitoring cadence, training content—are calibrated to the assessed risk.

Senior management ownership. The AML/CFT compliance officer is positioned with the independence and resources required to halt suspicious transactions, escalate issues, and report directly to the board or equivalent governing body. Programs that bury the AMLO role under operations or sales rarely hold up.

Risk-based CDD with enhanced procedures for higher-risk clients. Customer due diligence is calibrated by risk tier. Enhanced due diligence (EDD) procedures apply to PEPs, high-net-worth clients with complex structures, clients in higher-risk jurisdictions, and any client whose behavior or background warrants additional scrutiny.

Continuous sanctions and behavioral monitoring. Point-in-time screening at onboarding is no longer adequate under either OFAC's current expectations or the IA AMLRule's anticipated requirements. Programs are built around continuous monitoring with defined alert workflows.

Defensible audit trails. Every screening decision, every cleared alert, every SAR consideration is documented in a time-stamped, immutable record. When examiners arrive, the firm can produce the complete history on demand—not reconstruct it from email archives.

Vendor architecture aligned to the program. Where third-party platforms support the program—sanctions screening, identity verification, adverse media, behavioral monitoring—the firm has clear documentation of source coverage, update cadence, FCRA compliance (where applicable), and audit trail integration.Vendor selection becomes part of the program's defensibility.

This is the architecture sophisticated programs are building today, regardless of the 2028effective date. The firms that wait until 2027 to start will not be able to assemble it in time.

How Ferretly Supports RIA AML Program Build

Ferretly's platform is purpose-built for the screening, monitoring, and audit-trail requirements that anchor a defensible AML/CFT program—for RIAs preparing for the 2028 IA AMLRule and for the OFAC, SEC, and FCRA obligations that apply today.

The platform delivers continuous sanctions and watchlist screening across 1,000+ global sources, integrated PEP and adverse media coverage, real-time alert workflows, and immutable FCRA-compliant audit trails. Ferretly adds agentic AI profile discovery—multi-agent identity resolution that materially reduces false positives while catching variant-name matches that legacy systems miss—and frame-by-frame video and audio analysis for behavioral risk signals invisible to text-only screening.

Ferretly is SOC 2Type 2 certified, GDPR-aligned, EU-US DPF certified, andPBSA-aligned—engineered for the regulatory environment RIAs and ERAs operate in.

For compliance leaders building toward 2028, Ferretly provides the screening, monitoring, and audit infrastructure required without the operational overhead of building it in-house.

The Bottom Line

The FinCEN IA AMLRule delay creates runway. It does not create a moratorium.

OFAC enforces today.The SEC examines today. The reputational and operational cost of an inadequate program is the same in 2026 as it will be in 2028. The firms that use the next two years to build the program right—risk assessment, continuous monitoring, defensible audit trails, integrated vendor architecture—will be ready when the rule takes effect.

The firms that use it as an excuse to defer will not.

See how Ferretly supports defensible AML and sanctions screening for investment advisers. Book a 20-minute live demo→